NO-JIRA: Add ECDSA certificate generation support via annotation

[fabiendupont]

Adds support for generating ECDSA P-256 certificates by specifying the key algorithm via the new service annotation:
service.beta.openshift.io/serving-cert-key-algorithm: ecdsa

When the annotation is not specified or set to "rsa", the operator generates RSA certificates for full backwards compatibility.

This enables services to opt into modern elliptic curve cryptography, which provides equivalent security to 3072-bit RSA with significantly smaller keys (~87% smaller) and better performance.

Implementation:

• Added ServingCertKeyAlgorithmAnnotation constant in api.go
• Modified MakeServingCert() to check annotation and select algorithm
• Uses library-go's new MakeServerCertWithAlgorithm() API
• Validates annotation values (rsa, ecdsa) with helpful error messages
• Case-insensitive algorithm matching

Testing:

• Added TestECDSACertificateGeneration with 5 test cases
• Verifies RSA (default and explicit), ECDSA, and invalid inputs
• All existing tests pass with no regressions

Depends on: openshift/library-go#2116

[openshift-ci-robot]

@fabiendupont: This pull request explicitly references no jira issue.

Details

In response to this:

Adds support for generating ECDSA P-256 certificates by specifying the key algorithm via the new service annotation:
service.beta.openshift.io/serving-cert-key-algorithm: ecdsa

When the annotation is not specified or set to "rsa", the operator generates RSA certificates for full backwards compatibility.

This enables services to opt into modern elliptic curve cryptography, which provides equivalent security to 3072-bit RSA with significantly smaller keys (~87% smaller) and better performance.

Implementation:

• Added ServingCertKeyAlgorithmAnnotation constant in api.go
• Modified MakeServingCert() to check annotation and select algorithm
• Uses library-go's new MakeServerCertWithAlgorithm() API
• Validates annotation values (rsa, ecdsa) with helpful error messages
• Case-insensitive algorithm matching

Testing:

• Added TestECDSACertificateGeneration with 5 test cases
• Verifies RSA (default and explicit), ECDSA, and invalid inputs
• All existing tests pass with no regressions

Depends on: openshift/library-go#2116

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

• do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: fabiendupont
Once this PR has been reviewed and has the lgtm label, please assign bertinatto for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment